Re: Interoperation with SELinux

Re: Interoperation with SELinux

[Casey Schaufler]

Robert Mykland wrote:
> Gentlemen,
>
> I am trying to write something that will allow only a particular
> application to access a particular block device in the system, except
> that maybe directory reads are allowed.  It seems clear that this
> would be simple to do as a security module, but SELinux is also used
> on the system I'm writing this for.  Reading the archives, it seems as
> though there's currently no way to write a security module that will
> interoperate with the SELinux security module.  Am I wrong?

No, you are correct. Stacking of Linux Security Modules (LSMs) is not
supported and the notion is currently out of favor.

>
> From my untutored perusal of the SELinux docs, I'm also getting the
> sense that I couldn't write this into an SELinux profile of some sort.

At the risk of sounding sarcastic (I'm the leader of the Loyal Opposition
to SELinux) I suspect that there is a way to do it using SELinux policy,
but that attempting it may require significant policy development skills.
You might take your question to the SELinux mailing list (I've cc'ed it
for you) as that's likely to be your best resource on this. Good luck.


>
> Your thoughts on this would be greatly appreciated.
>
> -- Robert.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.